What is HACIENDA? 



Data reconnaissance tool developed by 
the CITD team in JTRIG 

Port Scans entire countries 

- Uses nmap as port scanning tool 

- Uses GEOFUSION for IP Geolocation 

- Randomly scans every IP identified for that 
country 
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Countries 



• Completed full scans of 27 countries 




• Completed partial scans of 5 additional 
countries 








Tasking & Access 



• To task HACIENDA with a Country or Subnet 



• Access to the Data 

-^^CH^ggues^ GLOBAL SURGE account from 

gov. u k) 

- At CSEC, contact 

- At NSA, contact 

- At DSD. contact 
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Ports 



• Pulls back hostname, banners, 
application names and port status 

• Gathers additional information for... 

-21 (ftp): directory listing 

- 80 (http): content of main page 

- 443 (https): content of main page 

- Ill (rpc): results of rpcinfo 
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Host 1 





The Results... 



• All stored in JTRIG’s internal database 

• Available in GLOBAL SURGE 

- MAC’S Network Knowledge Base Prototype 

• Transferred by MAILORDER to 

-CSEC 

-DSD 

- MSA NTOC 




ni/\ci 




UK TOP SECRET STRAP1 
TOP SECRET//COMINT//REL FVEY 




How is it used? 



• ONE 

- ORB Detection 
-Vulnerability Assessments 

• SD 

- Network Analysis 
-Target Discovery 






UK TOP SECRET STRAP1 
TOP SECRET//COMINT//REL FVEY 





TOP SECREr//COMinT//REL TO USA, AUS, CAN, GBR, NZL 



The Hacking Process 

(R)econnaissance 
(I )nfection 

{C)ommand And Control 
(E)xfiltrat!on 



TOP SECRET//COMIMTi|/REl TO USA, AUS, CAM, GBR, MZL 







rop SECRiCT//coMirrr/mEL to usa, aus, CAr(, <^R, nzl 







Publicly Available Information 

(Email Address, Location,^ Network Info, Passwords, etc4 
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Hacker 




Reconnaissance 



Scan (Services) 
Operating Systems 



Versions 



Domain Names 
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TOP SECRETCOMirJT/mEL TO USA, AUS, CAN, OBR, HZL 





*?ecoiiriaissarici') Infection ^ 

TOP SECRET//COMIflir/yBEl to USA, AUB, CAN, GBR, NZL 
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Rcconnaissanct) Intccii i Command and Control ' i s n 



TOP SECRETZ/COMINt/yREl TO USA, AUS, CAN, GBR, NZL 










Hacker 



Victim 



TOP SeCRErZ/COMlFm/nEL to usa, aus, can, osr, nzl 
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Exfii using known and custom protocois 



(Known: HTTP, SMTP, ICMP, FTP, etc) 





Roconnalssanct? Ii'* : C^ r^i' end and Ccnt^o: ExFiltration 
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M KEYSCOJ^C C2C Gesslfin viewer 
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, Alls, CAM, GBR, nZL 



USER Adminis t ra tor 

PASS ^rrnaf iavafu-te19 7532@%l ?* 

USER Adminis t ra tor 

PASS sh3l5l1 k3p4rty3v3r 

USER Adminis t ra tor 

PASS Sh3I5Lik3P4rtY@v3r 

USER Adminis t ra tor 

PASS Sh5IfiLiK6PSr-tY6v5r 

USER Adminis t ra tor 

PASS kalimero4cappy 

USER Adminis t ra tor 

PASS Password 

USER Administrator 

PASS P@sswOrd 

USER Adminis t ra tor 

PASS P@sswOrd 



Iraqi Ministry of Finance 



Infection 



^ ixfiltration 



TOP SECREr//COMIMT/mEL TO USA/AUS, CAM, GBRVMZL 






%^CURJ^ 



"^;-j"Dnnaissance Infcctr t Command and Control 
TOP SECRET//COMIHT//REL TO USA, AUS, CAW, GBR, WZL 



TOP SECRET//C6MirJTyA?EL TO USA, AUS^ CAM, GBR, NZL 



Windows cmd.exe 



j[ETI C: \WINOOWSVsysteml21cmd*e3C0 

nicrosoft Uiniious [Uersion S. 1.2b 10^ J 
<C> Copyright 1985-2001 Ricrosoft Corp. 
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CommLnications Security 
Esiablishrn-enl 



Centre de la securite 
dies I^t6oommijftications 




Presentation Outline 




LANDMARK - automated tradecraft to further expand CNE 
covert infrastructure 
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LANDMARK 




CSEC's Operational Relay Box (ORB) covert 
infrastructure used to provide an additional level of 
non-attribution; subsequently used for exploits and 
exfiltration 



2-3 times/year, 1 day focused effort to acquire as many 
new ORBS as possible in as many non 5-Eyes countries 



as pos sible 
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CommLnications Security 
Esiablishrn-enl 



Centre de la securite 
dies I^f6oommijnications 



LANDMARK — the recent past.... 




February 2010 

Operation encompassing the whole of LONGRUN solely 
using OLYMPIA (CSEC's network knowledge engine with 
automated tradecraft) 

8 teams of 3 network exploitation analysts busy for 5-8 
hours 

A list of 3000-1- potential ORBs 
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CommLnications Security 
Esiablishrn-enl 



Centre de la securite 
dies I^f 6 oommijrtications 
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BUT, network analysis still manual! CanadS 
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L M CommLnications Security Centre de la secujite 

Establishrn-enl dies I^t6oommijftications 

LANDMARK today... 

Network analysis tradecraft to determine vulnerable 
devices has been encoded within OLYMPIA 
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TOP SECRET//COM1MT 



CommLnications Security Centre de la secujite 

Establishir^enl dies l^t^oommufiications 



I GSM provider 

NSA TAO requested assistance gaining access to the 
network 

Network analysis using OLYMPIA: 

* DNS query to determine IP address 

* IP address to network range 

* Network range to port scan 

* Are there any vulnerable devices in that range? 
Duration: < 5 minutes 

CanadS 
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^CCHQ^ 




© Crown Copyright. All rights reserved. 





Benefits 



■ Automated Vulnerability Assessment 

- Using Vulnerability Profiles for Remote and Content Delivery vectors 

■ Automated Target Development and Monitoring 

- Identify and characterise target machines 

■ Profiles machines, including: 

- Browser, OS, PSP, Patch History 

- Activity 

- Download 

■ Automated Target Technology Tracking (Stats & Trends) 

- Browsers, OS, PSP etc 

■ ORB Identification 

- Initial ten fold increase in Orb Identification rate over manual process 
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^GCHQ^ 




Defining Attributes 



Attribute Definition 

■ Name 

■ Description 

■ Type 

■ Data sources 
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FTP lo 



Machine Commuitfcation 
Attributes 






DNS Request 
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HTTPS connection 



Machine Attributes 






♦ Open port (25, 80, 443) 

• Server banner (Server: Apache) 
PSP fingerprint (Kaspersky v7.01) 



XFF (192.168.2.1) 
Web Request (test.exe, file.pdf) 



DNS Name (webhost.com) 



SNMP sysname 





MUGSHOT GOALS 



■ Automated Target Characterisation and 
Monitoring 

■ Automatically understand everything important about CNE target 
networks from passive and active sources. 

■ Automated Un-Targeted Characterisation 

■ Automatically understand everything important about ail 
machines on the Internet from passive and active sources. 





